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INTRODUCTION 



The global business environment continues to evolve rapidly, creating opportunities and challenges for 
all types of organizations. Upheaval in economic and financial markets, uncertain political environments, 
technological innovation, expanding regulation and oversight, new competitive forces, and a host of 
other significant risk drivers are all contributing to the risk dialogue in boardrooms and executive offices. 
Organizations in virtually every industry and country are reminded, all too frequently, that they operate 
in a risky world. 

To provide perspectives about the nature of potential risks in 2013, Protiviti and North Carolina 
State University's ERM Initiative recently surveyed more than 200 business executives to obtain their 
views about what risks they believe are likely to affect their organizations over the next 12 months. 
The respondent group, comprised primarily of board members and C-suite executives, provided their 
perspectives about the potential impact of 20 specific risks across three dimensions: 

• Macroeconomic risks likely to affect their organization's growth opportunities over the next 
12 months 

• Strategic risks the organization faces that may affect the validity of its strategy for the pursuit of 
growth opportunities over the next 12 months 

• Operational risks that might affect key operations of the organization in executing its strategy 
over the next 1 2 months 

In presenting the results of our research, we begin with a brief description of our methodology and an 
executive summary of the results. Following this introduction, we discuss the overall risk concerns for 
2013, followed by a review of results by size of organization and type of executive respondent, as well 
as a breakdown by industry. We conclude with a discussion of the organizations' plans to improve their 
capabilities for managing risk. 

Our plan is to conduct this risk survey periodically so we can stay abreast of key risk issues on the minds 
of executives and observe trends in risk concerns over time. 
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METHODOLOGY 



More than 200 board members and executives across a number of industries participated in this survey, 
which was conducted in person and online in the fourth quarter of 2012. Respondents were asked to rate 
20 individual risk issues using a 10-point scale, where a score of 1 reflects "No Impact at All" and a score 
of 1 reflects "Extensive Impact" to their organizations over the next year. 

For each of the 20 Strategic, Macroeconomic and Operational risk issues included in our survey (see 
table below), we computed the average score reported by all respondents. Using mean scores across 
respondents, we rank-ordered risks from highest to lowest impact. 

We grouped all the risks based on their average scores into one of three classifications: 

• Risks with an average score of 6.0 or higher are classified as having a "Significant Impact" over 
the next 12 months. 

• Risks with an average score of 4.5 through 5.9 are classified as having a "Potential Impact" over 
the next 12 months. 

• Risks with an average score of 4.4 or lower are classified as having a "Less Significant Impact" 

over the next 12 months. 

We refer to these risk classifications throughout our report, and also review results for various 
demographic groups (company size and type, role of respondent, and industry). With respect to the 
various industries, we grouped related industries into combined industry groupings to facilitate analysis. 



Strategic Risk Issues 

• Rapid speed of disruptive technological 
innovations within the industry may 
outpace our organization's ability 

to compete and/or manage the risk 
appropriately, without making significant 
changes to our operating model 

• Regulatory changes and heightened 
regulatory scrutiny may affect the 
manner in which our products or 
services will be produced or delivered 

• Shifts in social, environmental, and 
other customer preferences and 
expectations will be difficult for us to 
identify and address on a timely basis 

• Ease of entrance of new competitors 
into the industry and marketplace will 
threaten our market share 

• An unexpected crisis would likely have a 
significant impact on our reputation given 
our organization's existing preparedness 

• Growth through acquisitions, joint 
ventures, and other partnership activities 
will be difficult to identify and implement 

• Organic growth through customer 
acquisition and/or enhancement 
presents a significant challenge 

• Substitute products and services may 
arise that affect the viability of our 
current business model and strategic 
initiatives on the horizon 



Macroeconomic Risk Issues 

• Anticipated volatility in global financial 
markets and currencies will create 
challenging issues for our organization 
to address 

• Uncertainty surrounding political 
leadership in national and international 
markets will limit growth opportunities 

• Potential changes in trade restrictions 
or other government sanctions will limit 
our ability to operate effectively and 
efficiently in international markets 

• Access to sufficient capital will restrict 
growth opportunities for our organization 

• Economic conditions in markets we 
currently serve will significantly restrict 
growth opportunities for our organization 



Operational Risk Issues 

• Uncertainty surrounding the viability of 
key suppliers or scarcity of supply will 
make it difficult to deliver our products 
or services 

• Succession challenges and the ability to 
attract and retain top talent may limit 
our ability to achieve operational targets 

• Cyber threats have the potential to 
significantly disrupt core operations for 
our organization 

• Ensuring privacy/identity management 
and information security/system 
protection will require significant 
resources for us 

• Our existing operations may not be able 
to meet performance expectations related 
to quality, time to market, cost and 
innovation as well as our competitors 

• Inability to utilize data analytics and 
"big data" to achieve market intelligence 
and increase productivity and efficiency 
is likely to affect our management of 
core operations and strategic plan 

• Resistance to change will restrict our 
organization from making necessary 
adjustments to the business model and 
core operations 
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EXECUTIVE SUMMARY 



Rarely has there been a greater need for transparency into the nature and magnitude of risks undertaken 
in executing an organization's corporate strategy than today. The first question an organization seeks 
to answer in risk management is, "What are our most critical risks?" The organization's answer to this 
question lays the foundation for management to respond with appropriate capabilities for managing 
these risks. This survey provides insights across different sizes of companies and across multiple industry 
groups as to what the key risks are for 2013 based on the input of the participating executives. 

Among the notable findings in this study: 

• Executives are significandy concerned about the magnitude and severity of risks that could affect 
the achievement of profitability or funding goals over the next year. 

• Overall, two risks stand out as being of the highest concern: 

- Risks related to profitability constraints due to overall economic conditions that will limit 
growth opportunities; and 

- Concerns about the potential for regulatory changes and heightened regulatory scrutiny that 
will affect how products and services will be produced and delivered. 

Both of these risks are perceived as having a "Significant Impact" across most industries, all types 
and sizes of organizations, and most types of respondents. 

• In addition to concerns about the economy and regulatory change, the other risk viewed as having 
a major impact in the coming year relates to growth opportunities being restricted by uncertainty 
surrounding political leadership in national and international markets. 

• Other top risks, while not perceived as having a "Significant Impact" overall, include risks related 
to succession planning and attracting/retaining top talent; anticipated volatility in global financial 
markets; and cyber threats, privacy, identity management, and other information security and 
system protection risks. Rounding out our top 10 list of risks are organizational resistance to 
change, and ability to meet performance expectations as well as competitors. 

A number of other insights about the overall risk environment for 2013 can be gleaned from this report: 

• The largest organizations (those with revenues greater than $10 billion) view a greater number 
of risks to have, potentially, a "Significant Impact" on them than do smaller organizations. Large 
organizations identified eight out of 20 risks as "Significant Impact" risks. In contrast, smaller 
organizations (those with revenues less than $100 million) perceive the environment to be much 
less risky - they ranked just two out of 20 risks as ones that will have "Significant Impact" in 2013. 

• There is overall agreement in perspectives about risks across different types of respondents, with the 
exception of chief risk officers (CROs), who view more risks at a "Significant Impact" level. Perhaps 
not surprisingly, these same executives indicated the greatest likelihood that their organization will be 
investing more resources in risk management over the next year. 

• When we analyze the data by type of organization (publicly held, private, not-for-profit/government), 
fewer risks are considered as "Significant Impact" risks relative to our industry analysis. This suggests 
that differences in risk conditions are linked more to industry or size and less to type of organization. 

In this report, we provide in-depth analysis of perceptions about specific risk concerns, and identify and 
discuss variances in the responses when viewed by organization size, ownership type and industry, as well 
as by respondent role. 
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OVERALL RISK CONCERNS FOR 2013 



Topping the list of risks is the concern that regulatory changes and heightened regulatory scrutiny 
may affect the manner in which the organization's products and services will be produced or 
delivered. This suggests organizations have significant concerns that regulatory challenges may affect 
their strategic direction. The stakes are high since, without effective management of regulatory risks, the 
organization is reactive, at best, and non-compliant, at worst, with all of the attendant consequences. 

The next two highest-rated risk concerns highlight interrelated macroeconomic issues. Respondents 
indicated notable concerns about overall economic conditions restricting growth as well as concerns 
about uncertainty surrounding political leadership affecting U.S. and international markets, 

which in turn may also restrict growth opportunities. The challenge of adjusting to changes in the global 
economy along with continued shifts in geopolitical dynamics presents a complex, ever-changing picture. 

Also included in the top five risks are concerns about the ability to grow organically through 
customer acquisition, and challenges related to leadership and to succession planning within the 
participating organizations. Organic growth through expanding the overall customer base, increasing 
output per customer and generating new sales is a priority as organizations are concerned with the high 
costs of replacing lost business and the significant uncertainties of seeking growth through mergers and 
acquisitions. In addition, the war for talent continues as a concern while a significant shortfall of workers 
looms on the horizon in many developed countries. This concern translates into succession issues that 
may not be addressed adequately. 



Table l:Top 10 Risks 



Regulatory changes and heightened regulatory scrutiny may affect the manner in 
which our products or services will be produced or delivered 

Economic conditions in markets we currently serve will significantly restrict 

growth opportunities for our organization 

Uncertainty surrounding political leadership in national and international 

markets will limit growth opportunities 

Organic growth through customer acquisition and/or enhancement presents a 

significant challenge 

Succession challenges and the ability to attract and retain top talent may limit 

our ability to achieve operational targets 

Anticipated volatility in global financial markets and currencies will create 
challenging issues for our organization to address 

Cyber threats have the potential to significantly disrupt core operations 

for our organization 

Ensuring privacy/identity management and information security/system 
protection will require significant resources for us 

Resistance to change will restrict our organization from making necessary 
adjustments to the business model and core operations 

Our existing operations may not be able to meet performance expectations 
related to quality, time to market, cost and innovation as well as our competitors 




M Macroeconomic 
Risk Issue 

Operational 
Risk Issue 

Strategic 
Risk Issue 



4.5 



5.5 



6.5 



7.5 
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Rounding out the top 10 risks are the following risk concerns: 

• Anticipated volatility in global financial markets and currencies will create challenging 
issues - Significant financial risks in the form of emerging market, credit, currency and other risks 
continue to be a concern. Few organizations are immune to the vagaries of the global economic and 
financial markets and the related impact on interest rates, credit availability and currencies. 

• Cyber threats have the potential to disrupt core operations significantly - Over the last two 
years, reports of cyber attacks of unprecedented sophistication across multiple industries, resulting 
in the loss of intellectual property and business intelligence, have made the headlines. Since it is 
unlikely that all breaches have been reported, the sheer number and magnitude of malicious attacks 
create a need to better understand the threats and develop proactive solutions to mitigate them. 

• Privacy/identity management and information security/system protection will be significant 
issues to manage - Technological innovation is a powerful source of disruptive change of which no 
one wants to be on the wrong side. Cloud computing, social media, mobile technologies and other 
initiatives to use technology as a source of innovation and an enabler to strengthen the customer 
experience present new challenges with managing privacy, information and system security risks. 

• Resistance to change may restrict necessary adjustments to the business model and core 
operations - In these uncertain times, it makes sense to increase the organization's ability to 
change and adapt to a rapidly evolving business environment. Therefore, response readiness is 
important, as is the agility and resiliency of the organization. 

• Existing operations may deliver performance falling short of expectations related to quality, 
time to market, cost and innovation - Improving quality, time, innovation and cost performance 
is as important today as it has ever been. 
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ANALYSIS ACROSS DIFFERENT SIZES OF ORGANIZATIONS 



The sizes of organizations, as measured by annual revenues, vary across our 205 respondents as follows: 



Most Recent Revenues 


Number of 
Respondents 


Revenues $10 billion or greater 


31 


Revenues $1 billion to $9.99 billion 


69 


Revenues $100 million to $999 .99 million 


74 


Revenues less than $100 million 


24 


Those not reporting revenues 


7 


Total Number of Respondents 


205 



Consistent with what we have previously reported, concerns about the potential impact of regulatory 
changes and heightened regulatory scrutiny affecting the manner in which products and services 
will be produced or delivered are noticeably high for all sizes of organizations. Similarly, uncertainty 
surrounding political leadership in national and international markets limiting growth opportunities and 
concerns about economic conditions in markets they serve remain high across most sizes of organizations. 
Clearly, the regulatory environment and the potential for further change to that environment are of 
paramount concern to many organizations, influencing their decisions to expand, invest and hire. 

While the following charts only highlight the top five risks (including ties), our analysis of the full results 
found that the largest organizations rated more risks as "Significant Impact" risks (i.e., average scores of 
6.0 or higher). Moreover, just one of the 20 risks for these organizations has an average score low enough 
to be considered a "Less Significant Impact" risk. Thus, as would be expected, the environment for the 
largest organizations appears to be the riskiest relative to other size categories of organizations. 

Small and midsize organizations (those with revenues below $1 billion) only scored two risks as "Significant 
Impact" risks while eight of the 20 risks had averages below 4.5 on the 10-point scale, which we categorize 
as "Less Significant Impact" risks. Again, as would be expected, the size of the organization is likely a proxy 
for the complexities within the organization and thus may be an important dimension to consider when 
evaluating risks across multiple entities. 

The accompanying charts summarize the top-rated risks by type of organization. Only the top five risks 
(with ties) are reported. 



Organizations with Revenues $10 Billion or Greater 

Regulatory changes and heightened regulatory scrutiny may affect the manner in 

which our products or services will be produced or delivered Bfl 

Uncertainty surrounding political leadership in national and international 

markets will limit growth opportunities 

Economic conditions in markets we currently serve will significantly restrict IJH 

growth opportunities for our organization 

Potential changes in trade restrictions or other government sanctions will limit 
our ability to operate effectively and efficiently in international markets 

Anticipated volatility in global financial markets and currencies will create 
challenging issues for our organization to address 

4 4.5 5 5.5 6 6.5 7 7.5 8 
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Organizations with Revenues between $1 Billion and $9.99 Billion 



Regulatory changes and heightened regulatory scrutiny may affect the manner in 
which our products or services will be produced or delivered 


S 




Economic conditions in markets we currently serve will significantly restrict 

growth opportunities for our organization 


M 






Uncertainty surrounding political leadership in national and international 

markets will limit growth opportunities 


M 














Organic growth through customer acquisition and/ or enhancement presents 

a significant challenge 


S 
















Succession challenges and the ability to attract and retain top talent may limit 

our ability to achieve operational targets 



















Cyber threats have the potential to significantly disrupt core operations 

for our organization 



















Ensuring privacy/identity management and information security/system 
protection will require significant resources for us 












Organizations with Revenues between $100 Million and $999.99 Million 

Regulatory changes and heightened regulatory scrutiny may affect the manner in 

which our products or services will be produced or delivered Efl 

Economic conditions in markets we currently serve will significantly restrict 

growth opportunities for our organization 

Succession challenges and the ability to attract and retain top talent may limit BJH 

our ability to achieve operational targets Hfl 

Uncertainty surrounding political leadership in national and international 

markets will limit growth opportunities 

Organic growth through customer acquisition and/or enhancement presents 

a significant challenge B| 

Ensuring privacy/identity management and information security/system BJH 
protection will require significant resources for us Kfl 

4 4.5 5 5.5 6 6.5 7 7.5 8 



Organizations with Revenues less than $100 Million 

Uncertainty surrounding political leadership in national and international IH 

markets will limit growth opportunities 

Regulatory changes and heightened regulatory scrutiny may affect the manner in 

which our products or services will be produced or delivered Bfl 

Economic conditions in markets we currently serve will significantly restrict IH 

growth opportunities for our organization 

Organic growth through customer acquisition and/or enhancement presents 

a significant challenge BH 

Anticipated volatility in global financial markets and currencies will create IH 
challenging issues for our organization to address 

4 4.5 5 5.5 6 6.5 7 7.5 8 
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ANALYSIS ACROSS EXECUTIVE POSITIONS REPRESENTED 



We targeted our survey to individuals currently serving on the board of directors or in senior executive 
positions so that we could capture C-suite and board perspectives about risks on the horizon for 2013. 
Respondents to the survey hold a number of different executive positions - 19 serve on the board of 
directors of an organization, and the remaining respondents serve in a variety of executive positions. The 
positions with the greatest number of respondents are summarized below: 



Executive Position 


Number of 
Respondents 


Board Member 


19 


Chief Financial Officer 


29 


Chief Risk Officer 


42 


Chief Audit Executive 


54 


Other C-Suite 1 


44 


All Other 2 


17 


Total Number of Respondents 


205 



To determine if perspectives about top risks differ across executive positions, we also analyzed key findings 
for board members and the four executive positions with the greatest number of respondents: chief 
financial officer (CFO), chief risk officer (CRO), chief audit executive (CAE) and other C-suite. 3 The 
results are summarized in Table 2 on the following page. 

As discussed previously, to help identify differences in risk concerns across respondent type, we group all 
the risks based on their average scores into one of three classifications. We use the following color-coding 
scheme to highlight visually risks using these three categories: 

Significant Impact - Rating of 6.0 or higher 

Q Potential Impact - Rating of 4.5 - 5.9 

Q Less Significant Impact - Rating of 4.4 or lower 



This category includes titles such as chief executive officer, chief compliance officer, chief operating officer, general counsel and chief 
information officer. 

These 17 respondents either did not provide a response or are best described as middle management or business advisers/consultants. 
We do not provide a separate analysis for this category. 

We grouped individuals with equivalent, but different executive titles, into these positions when appropriate. For example, we included 
"Vice President - Risk Management" in the CRO grouping and we included "Director of Finance" in the CFO grouping. 
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Table 2: Perceived Impact over Next 12 Months 

< 



Macroeconomic Risk Issues 




Anticipated volatility in global financial markets and currencies will create challenging issues 
for our organization to address 














Uncertainty surrounding political leadership in national and international markets will 
limit growth opportunities 














Potential changes in trade restrictions or other government sanctions will limit our ability 
to operate effectively and efficiently in international markets 














Access to sufficient capital will restrict growth opportunities for our organization 














Economic conditions in markets we currently serve will significantly restrict 
growth opportunities for our organization 














Strategic Risk Issues 




Rapid speed of disruptive technological innovations within the industry may outpace our 
organization's ability to compete and/or manage the risk appropriately, without making 
significant changes to our operating model 














Regulatory changes and heightened regulatory scrutiny may affect the manner in which 
our products or services will be produced or delivered 














Shifts in social, environmental, and other customer preferences and expectations will be 
difficult for us to identify and address on a timely basis 














Ease of entrance of new competitors into the industry and marketplace will threaten 
our market share 














An unexpected crisis would likely have a significant impact on our reputation given 
our organization's existing preparedness 














Growth through acquisitions, joint ventures, and other partnership activities will be difficult 
to identify and implement 














Organic growth through customer acquisition and/or enhancement presents 
a significant challenge 














Substitute products and services may arise that affect the viability of our current business 
model and strategic initiatives on the horizon 














Operational Risk Issues 




Uncertainty surrounding the viability of key suppliers or scarcity of supply will make it difficult 
to deliver our products or services 














Succession challenges and the ability to attract and retain top talent may limit our ability 
to achieve operational targets 














Cyber threats have the potential to significantly disrupt core operations for our organization 














Ensuring privacy/identity management and information security/system protection will require 
significant resources for us 














Our existing operations may not be able to meet performance expectations related to quality, 
time to market, cost and innovation as well as our competitors 














Inability to utilize data analytics and "big data" to achieve market intelligence and increase 
productivity and efficiency is likely to affect our management of core operations and strategic plan 














Resistance to change will restrict our organization from making necessary adjustments to the 
business model and core operations 
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Consistent with the previous analyses provided in this report, almost all executives rated risks related 
to economic conditions and regulatory changes as "Significant Impact" risks. CFOs rated the risk 
associated with regulatory change as 5.9 - just below the threshold established for "Significant Impact." 
Board members, CAEs and CFOs did not rate any of the other 18 risks as "Significant Impact" risks. 
Other C-suite executives identified two additional risks associated with volatility in global financial 
markets and political uncertainty as significant. The remaining risks for board members, CFOs, CAEs 
and other C-suite executives were either "Potential Impact" risks or "Less Significant Impact" risks. 

CROs named three additional risks at levels we categorize as "Significant Impact" risks. CROs are also 
noticeably concerned with operational risks related to cyber threats, risks related to succession issues and 
recruitment and retention of managerial talent, and risks related to privacy/identity management and 
information security. In total, CROs rated five of the 20 risks as "Significant Impact" risks as compared 
to all other executives, who identified two or less (board members, CAEs and CFOs) or four (other 
C-suite) of the 20 risks at that level. So, perhaps unsurprisingly, CROs perceive that some risks have 
more potential impact to their organizations than other executives. CROs may have a broader, enterprise 
perspective of risks arising from multiple silos across the organization's operations and that viewpoint 
manifests itself in their assessments of overall risk conditions. 



Board Members 

Economic conditions in markets we currently serve will significantly restrict 

growth opportunities for our organization 

Regulatory changes and heightened regulatory scrutiny may affect the manner 
in which our products or services will be produced or delivered 

Organic growth through customer acquisition and/or enhancement presents a 

significant challenge Bfl 

Uncertainty surrounding political leadership in national and international 

markets will limit growth opportunities 

Cyber threats have the potential to significantly disrupt core operations BJH 

for our organization Kfl 

Ensuring privacy/identity management and information security/system BJH 
protection will require significant resources for us Kfl 

4 4.5 5 5.5 6 6.5 7 7.5 8 



Chief Financial Officers 

Economic conditions in markets we currently serve will significantly restrict IH 

growth opportunities for our organization 

Regulatory changes and heightened regulatory scrutiny may affect the manner in 

which our products or services will be produced or delivered Bfl 

Succession challenges and the ability to attract and retain top talent may limit BJH 

our ability to achieve operational targets Hfl 

Ensuring privacy/identity management and information security/system BJH 

protection will require significant resources for us Kfl 

Organic growth through customer acquisition and/or enhancement presents a BH 

significant challenge Efl 

4 4.5 5 5.5 6 6.5 7 7.5 8 
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Chief Risk Officers 

Regulatory changes and heightened regulatory scrutiny may affect the manner in 

which our products or services will be produced or delivered Bfl 

Economic conditions in markets we currently serve will significantly restrict 

growth opportunities for our organization 

Cyber threats have the potential to significantly disrupt core operations W^M 

for our organization 

Succession challenges and the ability to attract and retain top talent may limit BjH 

our ability to achieve operational targets Kfl 

Ensuring privacy/identity management and information security/system W^M 

protection will require significant resources for us Kfl 

4 4.5 5 5.5 6 6.5 7 7.5 8 



Chief Audit Executives 

Regulatory changes and heightened regulatory scrutiny may affect the manner HB 
in which our products or services will be produced or delivered Hfl 

Economic conditions in markets we currently serve will significantly restrict HH 

growth opportunities for our organization 

Ensuring privacy/identity management and information security/system BjH 
protection will require significant resources for us Hfl 

Uncertainty surrounding political leadership in national and international 

markets will limit growth opportunities 

Organic growth through customer acquisition and/or enhancement presents a 

significant challenge fifl 

Cyber threats have the potential to significantly disrupt core operations 

for our organization Kfl 

4 4.5 5 5.5 6 6.5 7 7.5 8 



Other C-Suite Executives 

Regulatory changes and heightened regulatory scrutiny may affect the manner in 

which our products or services will be produced or delivered Bfl 

Uncertainty surrounding political leadership in national and international 

markets will limit growth opportunities 

Economic conditions in markets we currently serve will significantly restrict IH 

growth opportunities for our organization 

Anticipated volatility in global financial markets and currencies will create 

challenging issues for our organization to address HH 

Succession challenges and the ability to attract and retain top talent may limit BJH 

our ability to achieve operational targets Kfl 

4 4.5 5 5.5 6 6.5 7 7.5 8 
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INDUSTRY ANALYSIS 



Respondents to our survey represent organizations in a number of industry groupings as shown below: 



Industry 


Number of 
Respondents 


Financial Services 


57 


Consumer Products and Services 


39 


Industrial Products 


27 


Healthcare and Life Sciences 


25 


Technology, Media and Communications 


23 


Energy and Utilities 


19 


Other industries (not separately reported) 


15 


Total Number of Respondents 


205 



We analyzed responses across these six industry groups to determine whether industries rank-order 
risks differently. 

Table 3 (on the following page) provides an overview of the significance and differences across 
industries in executive perspectives about each of the 20 risks rated in this study (categorized as 
macroeconomic, strategic and operational risk issues). 

Consistent with the full sample, respondents across all industry groups believe economic conditions in 
markets they currently serve will significantly restrict growth opportunities for them this year. All 
industry groups rated that risk as having a significant impact, as illustrated by the red circle across all 
industry columns. Most industry groups also believe regulatory changes and heightened regulatory scrutiny 
may signincandy affect the manner in which the organization's products or services will be produced or 
delivered (exceptions are Industrial Products, and Technology, Media and Communications). 

Most industry groups identified three to four risks as having a "Significant Impact;" however, both the 
Financial Services and the Technology, Media and Communications industry groups had the greatest 
number of "Significant Impact" risks. 

Four risks rated as less significant to most industries (at least four of six industries) relate to access to capital 
markets; ease of entrance of new competitors; ability to grow through acquisitions, joint ventures and other 
partnerships; and uncertainty surrounding viability of key suppliers or scarcity of supplies. Most industries 
perceive these risks to be "Less Significant Impact." No industry groups scored them high enough to be 
"Significant Impact" risks, with most scoring these risks at the lowest level ("Less Significant Impact"). 

The bar charts on pages 14-16 report the top five risk exposures (including ties) in rank order for each of 
the six industry groups. Recall that a risk with an average score of 6.0 or higher is considered a "Significant 
Impact" risk while risks with average scores between 4.5 and 5.9 are "Potential Impact" risks and risks with 
average scores below 4.5 are "Less Significant Impact" risks For each of the industry groups, commentary 
is provided regarding the risk exposures noted. 
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Table 3: Perceived Impact over Next 12 Months « 

< 



Macroeconomic Risk Issues 


Anticipated volatility in global financial markets and currencies will create challenging 
issues for our organization to address 
















Uncertainty surrounding political leadership in national and international markets 
will limit growth opportunities 
















Potential changes in trade restrictions or other government sanctions will limit 
our ability to operate effectively and efficiently in international markets 
















Access to sufficient capital will restrict growth opportunities for our organization 
















Economic conditions in markets we currently serve will significantly restrict growth 
opportunities for our organization 
















Strategic Risk Issues 


Rapid speed of disruptive technological innovations within the industry may outpace 
our organization's ability to compete and/or manage the risk appropriately, without 
making significant changes to operations 
















Regulatory changes and heightened regulatory scrutiny may affect the manner in which 
our products or services will be produced or delivered 
















Shifts in social, environmental, and other customer preferences and expectations 
will be difficult for us to identify and address on a timely basis 
















Ease of entrance of new competitors into the industry and marketplace will threaten 
our market share 
















An unexpected crisis would likely have a significant impact on our reputation given 
our organization's existing preparedness 
















Growth through acquisitions, joint ventures, and other partnership activities will be 
difficult to identify and implement 
















Organic growth through customer acquisition and/or enhancement presents 
a significant challenge 
















Substitute products and services may arise that affect the viability of our current 
business model and strategic initiatives on the horizon 
















Operational Risk Issues 


Uncertainty surrounding the viability of key suppliers or scarcity of supply will make it 
difficult to deliver our products or services 
















Succession challenges and the ability to attract and retain top talent may limit 
our ability to achieve operational targets 
















Cyber threats have the potential to significantly disrupt core operations 
for our organization 
















Ensuring privacy/identity management and information security/system protection 
will require significant resources for us 
















Our existing operations may not be able to meet performance expectations related to 
quality, time to market, cost and innovation as well as our competitors 
















Inability to utilize data analytics and "big data" to achieve market intelligence 
and increase productivity and efficiency is likely to affect our management of core 
operations and strategic plan 
















Resistance to change will restrict our organization from making necessary adjustments 
to the business model and core operations 
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Consumer Products and Services 



Economic conditions in markets we currently serve will significantly restrict HH 

growth opportunities for our organization |MH 

Regulatory changes and heightened regulatory scrutiny may affect the manner in 

which our products or services will be produced or delivered Efl 

Succession challenges and the ability to attract and retain top talent may limit BjH 

our ability to achieve operational targets Kfl 

Uncertainty surrounding political leadership in national and international 

markets will limit growth opportunities HjH 

Ensuring privacy/identity management and information security/system BJH 

protection will require significant resources for us Kfl 

4 4.5 5 5.5 6 6.5 7 7.5 8 



For this industry group, economic growth constraints continue as uncertain consumer confidence persists 
while political and regulatory changes occur on the heels of a recovering economy. New laws, including the 
Affordable Care Act, and rising taxes will put increased strains on both businesses and consumers. Although 
the increased regulation is typically less than other industries, the changes will require strong leadership to 
keep the business competitive and provide products and services the consumer wants and can afford. Privacy 
ranked fifth, but not far below the top risk of economic conditions. In a technology-enhanced world where 
consumer businesses win by marketing to the masses while customizing to the individual, breaching any 
consumer information is a risk that can be as damaging as providing the wrong products or services. Given the 
significance of the risk and the complexity of the technology protocols, having a strong plan to manage this risk 
is as important as managing through the economic, regulatory and political environment. All this leaves little 
doubt of the importance of attracting and retaining top talent for Consumer Products and Services companies. 



Energy and Utilities 

Regulatory changes and heightened regulatory scrutiny may affect the manner in 

which our products or services will be produced or delivered Bfl 

Economic conditions in markets we currently serve will significantly restrict 

growth opportunities for our organization 

Uncertainty surrounding political leadership in national and international 

markets will limit growth opportunities 

Succession challenges and the ability to attract and retain top talent may limit BJH 

our ability to achieve operational targets Kfl 

Organic growth through customer acquisition and/or enhancement presents a 

significant challenge Bfl 

4 4.5 5 5.5 6 6.5 7 7.5 8 



Energy companies - already heavily regulated - are under increasing pressure to improve corporate governance, 
manage risk, and comply with new policies, laws and regulations. Regulatory changes can add tremendous 
cost to an organization and even the threat of changes can create investment uncertainties. The wave of drilling 
activity in shale plays utilizing hydraulic fracturing technology as well as the heightened "Green Movement" 
could result in the potential tightening of environmental regulations. The additional public scrutiny from oil spills 
as well as significant discussion around the elimination of certain tax benefits all contribute to regulatory change 
being the top risk. Concerns over economic conditions in current markets, as well as political leadership in 
national and international markets, are understandable as political leaders domestically and internationally are 
promoting and subsidizing alternative energy sources, and the current gridlock in Washington leaves companies 
in an anticipatory mode. Power and other energy companies are watching developments on the climate change 
legislation front closely to understand the potential effect on their operations. 



EXECUTIVE PERSPECTIVES ON TOP RISKS FOR 2013 



Financial Services 



Regulatory changes and heightened regulatory scrutiny may affect the manner in PB 
which our products or services will be produced or delivered Efl 

Economic conditions in markets we currently serve will significantly restrict 

growth opportunities for our organization 

Uncertainty surrounding political leadership in national and international 

markets will limit growth opportunities 

Cyber threats have the potential to significantly disrupt core operations BJH 

for our organization Kfl 

Anticipated volatility in global financial markets and currencies will create 
challenging issues for our organization to address 

Ensuring privacy/identity management and information security/system BJH 
protection will require significant resources for us Kfl 

4 4.5 5 5.5 6 6.5 7 7.5 8 



Coming out of the financial crisis, financial institutions are dealing with a highly dynamic regulatory 
environment and an unprecedented number of new requirements, including, as examples, Dodd-Frank, Basel 
III, and mortgage and derivatives trading reforms. Complicating the situation is a perceived lack of coordination 
among international regulatory bodies and significant shifts in the overall regulatory oversight framework. 
This is especially a concern given new regulators such as the Consumer Financial Protection Bureau in the 
United States, and changes to existing regulatory bodies such as the separation of prudential supervision of 
institutions from conduct regulation in the United Kingdom. Financial Services respondents also noted concern 
with macroeconomic risks, which tend to directly impact the need for and availability of credit, volatility in 
market risk and general customer behavior. Finally, security and privacy risks remain a longstanding issue 
within Financial Services given the expansion of social media, the sensitivity of account-level data, financial 
assets that can be accessed through compromise of such data, and the significant amount of nonpublic 
personally identifiable data that exists within most financial institutions. 



Healthcare and Life Sciences 

Regulatory changes and heightened regulatory scrutiny may affect the manner in 
which our products or services will be produced or delivered 

Uncertainty surrounding political leadership in national and international 

markets will limit growth opportunities 

Economic conditions in markets we currently serve will significantly restrict 

growth opportunities for our organization 

Succession challenges and the ability to attract and retain top talent may limit BJH 

our ability to achieve operational targets Kfl 

Ensuring privacy/identity management and information security/system IJH 
protection will require significant resources for us 

4 4.5 5 5.5 6 6.5 7 7.5 8 



Regulatory changes and scrutiny continue to be the highest strategic risk areas of focus for organizations in the 
Healthcare and Life Sciences industries. For example, the implementation of the Affordable Care Act continues 
to force significant change, and the realization of reduced revenues driven by lower government reimbursement 
rates is driving strategic initiatives such as accountable care organizations, physician alignment strategies 
and other quality of care programs. In addition, government incentives around "Meaningful Use" have driven 
widespread implementation of electronic health records, and with the introduction of emerging health 
information exchanges, the risks around security and privacy of protected health information are becoming 
more complex to manage. Each day brings news of more HIPAA security and privacy breaches requiring the 
addition of resources for adequate protection. 
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Industrial Products 

Economic conditions in markets we currently serve will significantly restrict 

growth opportunities for our organization 

Organic growth through customer acquisition and/or enhancement presents a BB 

significant challenge ■fl 

Anticipated volatility in global financial markets and currencies will create MVJ 

challenging issues for our organization to address ■■■ 

Uncertainty surrounding political leadership in national and international MVJ 

markets will limit growth opportunities ■■■ 

Regulatory changes and heightened regulatory scrutiny may affect the manner in VJJ 

which our products or services will be produced or delivered ■fl 

4 4.5 5 5.5 6 6.5 7 7.5 8 



Several of the top risks for Industrial Products companies are interrelated because they operate in a global 
environment with complex, integrated value chains, from upstream suppliers through operations and ultimately 
downstream to customers. In addition, economic conditions have created an environment of slow growth rates, 
albeit ones that continue to improve. Continued volatility in foreign exchange rates and commodity costs across 
the supply chain is squeezing margins if a manufacturer is unable to pass through these cost increases to 
customers. Beyond these macro issues, however, the day-to-day reality of increased - and sometimes unclear 
- regulatory requirements is driving greater compliance efforts and costs. Recently passed legislation (such as 
Dodd-Frank Conflict Minerals disclosures, California's Supply Chain Transparency law and the U.K. Bribery Act), 
ongoing compliance scrutiny (such as Foreign Corrupt Practices Act compliance), and ongoing uncertainty related 
to proposed changes in taxes and healthcare requirements are presenting new challenges. 



Technology, Media and Communications 

Economic conditions in markets we currently serve will significantly restrict VfBJ 

growth opportunities for our organization ■■■ 

Ensuring privacy/identity management and information security/system IjBJ 

protection will require significant resources for us Bjfl 

Rapid speed of disruptive technological innovations within the industry may 

outpace our organization's ability to compete and/or manage the risk I 

appropriately, without making significant changes to operations ^^^^^^^^^^^^^^^ 

Cyber threats have the potential to significantly disrupt core operations BJH 

for our organization 

Our existing operations may not be able to meet performance expectations BJBJ 
related to quality, time to market, cost and innovation as well as our competitors 

Resistance to change will restrict our organization from making necessary 
adjustments to the business model and core operations 

4 4.5 5 5.5 6 6.5 7 7.5 8 



Given the rapid pace of change and convergence taking place in this industry group, companies operating in 
this space face significant challenges in driving innovation, developing new products and protecting intellectual 
capital. While the globalization of the supply chain has continued to drive down the cost of production, the 
demand for engineering and creative talent has driven up the costs of development. A product's lifecycle is 
now measured routinely in months as opposed to years, resulting in a more limited time period to recover 
the costs of research and development that all technology, media and communications companies need to 
expend. Against this backdrop, this industry requires the spending power of individuals, organizations 
and governments. When economic conditions are weak, consumers limit discretionary spending and these 
companies are impacted significantly. 
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ANALYSIS OF DIFFERENCES BETWEEN PUBLIC AND NON-PUBLIC ENTITIES 



Participants in the survey represent three types of organizations: publicly traded companies (104 
respondents), privately held for-profit entities (66 respondents), and not-for-profit and governmental 
organizations (3 5 respondents). According to the survey results, all types of organizations have concerns 
about economic conditions and regulatory changes, consistent with the full sample. Clearly, economic 
uncertainty and the resulting changes that might occur in regulatory oversight top the list of risk concerns 
regardless of type of organization. Both public companies and not-for-profit organizations note concerns 
about growth opportunities being limited due to uncertainty surrounding political leadership in national 
and international markets. 

Interestingly, when analyzing the data across public, privately held, and not-for-profit/government 
organizations, most other risks are not rated as "Significant Impact" risks (i.e., average scores of 6.0 or 
higher). Other than the risks described in the preceding paragraph, respondents in publicly traded or 
privately held, for-profit entities scored the 1 7 remaining risks as "Potential Impact" or "Less Significant 
Impact" risks. 

PLANS TO DEPLOY RESOURCES TO ENHANCE 
RISK MANAGEMENT CAPABILITIES 



Finally, in light of the risk environment, we asked executives to provide insights about whether the 
organization plans to devote additional resources to risk management over the next 12 months. We 
used a 10-point scale whereby 1 signifies "Unlikely to Make Changes" and 10 signifies "Extremely 
Likely to Make Changes." 

The likelihood of deploying more resources to risk management is at a moderate level for the full 
sample as represented by the average score of 5.8 out of 10 points possible. The noticeable difference is 
Financial Services, which had an average score of 7.0 out of 10 points, suggesting a greater likelihood 
of this group to deploy more resources to improve risk management capabilities. 





All 

Respondents 


Consumer 
Products 
and Services 


Energy 

and 
Utilities 


Financial 
Services 


Healthcare 
and Life 
Sciences 


Industrial 
Products 


Technology, 
Media and 
Communications 

5.5 


Likelihood the organization plans to 
devote additional resources to risk 
management over the next 12 months 
(1 = unlikely; 10 = extremely likely) 


5.8 


5.7 


4.5 


7.0 


5.5 


5.4 



We also analyzed responses to that question across different sizes of organizations, with the largest 
organizations signaling they are most likely to deploy additional resources to risk management: 





All 

Respondents 


Revenues 
Less than $100M 


Revenues 
$100M -$999.99N\ 


Revenues 
$1B-$9.99B 


Revenues $10B 
or higher 


Likelihood the organization plans to devote 
additional resources to risk management 
over the next 12 months 
(1 = unlikely; 10 = extremely likely) 


5.8 


6.1 


5.8 


5.3 


6.7 



These results make sense as the largest organizations typically have more resources that they can bring 
to bear to managing risk, and they note that their environments are perceived to be riskier relative to 
smaller entities. 
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Not-for-profit and governmental organizations also signaled a higher likelihood of investing additional 
resources in risk management over the next 12 months relative to publicly-held and private, for-profit 
organizations: 





All 

Respondents 


Publicly Traded 
Companies 


Private, For- 
Profit Enterprises 


Not-for-Profitand 
Governmental 
Organizations 


Likelihood the organization plans to devote additional 
resources to risk management over the next 12 months 
(1 = unlikely; 10 = extremely likely) 


5.8 


5.6 


5.8 


6.4 



These results are interesting as risks to these organizations can relate to a variety of issues, including 
fraud, waste, misuse of assets, inadequate monitoring of investments, incomplete or unreliable 
information, and violation of legal requirements, not to mention reputation loss. 

Executives, more so than board members, indicate a greater likelihood of investing additional resources 
in risk management over the next year. CROs and CFOs signaled the greatest likelihood of additional 
resources being deployed by their organizations to strengthen risk oversight over the next 12 months. 
That finding may not be surprising given the greater number of risks identified as "Significant Impact" 
risks by CROs relative to other executives as discussed earlier: 





All 

Respondents 


Board 
Members 


Chief Financial 
Officers 


Chief Risk 
Officers 


Chief Audit 
Executives 


Other 
C-Suite 


Likelihood the organization plans to devote additional 
resources to risk management over the next 12 months 
(1 = unlikely; 10 = extremely likely) 


5.8 


5.1 


6.0 


6.3 


5.4 


5.9 
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CONCLUSION 



This report provides insights from more than 200 executives about those risks that in 2013 may 
significantly affect profitability and funding objectives of their organizations. Overall, most executives 
rate the business environment as signifi candy risky. 

Risks related to current economic conditions, changes in regulatory oversight and scrutiny, and 
uncertainty surrounding political leadership in both U.S. and international markets are noted consistendy 
across industries, organizations of all sizes and types, and executive positions of respondents. While 
these three risk issues are consistendy rated as "Significant Impact" risks, there is noticeable variation in 
perspectives about other risk areas across organizations. That suggests that there is no one-size-fits-all list 
of risk issues for organizations. Rather, the most notable risks vary across industry, size of organization, 
and type of ownership structure. 

Because of the rapid pace of change in the global business environment, executives and boards 
of directors can benefit from a periodic assessment of risks on the horizon to best position their 
organizations for a proactive versus reactive response to risks that emerge and potentially impact their 
ability to achieve profitability and funding objectives. Following are some suggested questions that 
executives and boards should consider as they evaluate their risk assessment process: 

• Is management periodically evaluating changes in the business environment to identify the risks 
inherent in the corporate strategy? Is the board sufficiendy involved in the process, particularly 
when such changes involve acquisition of new businesses, entry into new markets, the introduction 
of new products or alteration of key assumptions underlying the strategy? 

• Does management apprise the board in a timely manner of significant risks or significant changes 
in the organization's risk profile? Is there a process for identifying emerging risks? Does it result in 
consideration of response plans on a timely basis? 

• Is the board aware of the most critical risks facing the company? Does the board agree on why these 
risks are significant? Do directors understand the organization's responses to these risks? Is there an 
enterprisewide process in place that directors can point to that answers these questions and is that 
process informing the board's risk oversight? 

• Is there a periodic board-level dialogue regarding management's appetite for risk and whether 
the organization's risk profile is consistent with that risk appetite? Is the board satisfied that the 
strategy-setting process appropriately considers a substantive assessment of the risks the enterprise 
is taking on as it formulates and executes its strategy? 

These and other questions can assist organizations in defining their organization's specific risks. 

We hope this report provides important insights about perceived risks on the horizon for 2013 
and provides a catalyst for an updated assessment of risks and risk management capabilities within 
organizations. 
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RESEARCH TEAM 



This research project was conducted in partnership between Protiviti and North Carolina State University's 
Enterprise Risk Management Initiative. Individuals participating in this project include: 

North Carolina State University's ERM Initiative 

• Mark Beasley 

• Bruce Branson 

• Don Pagach 

Protiviti 

• Carol Beauinier 

• Jim DeLoach 

• Kevin Donahue 



ABOUT PROTIVITI 



Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, 
technology, operations, governance, risk and internal audit. Through our network of more than 70 offices 
in over 20 countries, we have served more than 35 percent of FORTUNE® 1000 and Global 500 
companies. We also work with smaller, growing companies, including those looking to go public, as well 
as with government agencies. 

Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in 1948, 
Robert Half International is a member of the S&P 500 index. 



ABOUT NORTH CAROLINA STATE UNIVERSITY'S ERM INITIATIVE 



The Enterprise Risk Management (ERM) Initiative in the Poole College of Management at North 
Carolina State University provides thought leadership about ERM practices and their integration 
with strategy and corporate governance. Faculty in the ERM Initiative frequently work with boards 
of directors and senior management teams helping them link ERM to strategy and governance, host 
executive workshops and educational training sessions, and issue research and thought papers on 
practical approaches to implementing more effective risk oversight techniques (www.erm.ncsu.edu). 
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